sign in sign up
<<
Home , Least fixed point

Bisimulation and coinduction

Davide Sangiorgi

Focus Team, INRIA (France)/University of Bologna (Italy)

Email: [email protected] http://www.cs.unibo.it/˜sangio/

BiSS 2010, Bertinoro, March 2010 Objectives of the course

At the end of the course, a student should:

– have understood what bisimulation and coinduction are – be able to do (simple) bisimulation proofs and write coinductive definitions – have a grasp of the duality between induction and coinduction – know what a behavioural equivalence is, in particular the difference between bisimilarity and other behavioural equalities

page 1 References

This course is based on the draft book:

– Davide Sangiorgi, An introduction to bisimulation and coinduction, Draft, 2010

Please contact me if you’d like to read and comment parts of it.

page 2 Exam

– To be discussed – Based on chapters of the book

page 3 Outline

The success of bisimulation and coinduction

Towards bisimulation, or: from functions to processes

Bisimulation

Induction and coinduction

Weak bisimulation

Other equivalences: failures, testing, trace ...

Enhancements of the bisimulation proof method

....

page 4 The success of bisimulation and coinduction

page 5 Bisimulation in Computer Science

– One of the most important contributions of concurrency theory to CS – It has spurred the study of coinduction – In concurrency: probably the most studied equivalence ∗ ... in a plethora of equivalences (see van Glabbeek 93) ∗ Why?

page 6 Bisimulation in concurrency

– Clear meaning of equality – Natural – The finest extensional equality Extensional: – “whenever it does an output at b it will also do an input at a” Non-extensional: – “Has 8 states” – “Has an Hamiltonian circuit” – An associated powerful proof technique – Robust Characterisations: logical, algebraic, -theoretical, categorical, game-theoretical, .... – Several separation results from other equivalences

page 7 Bisimulation in concurrency, today

– To define equality on processes (fundamental !!) – To prove equalities ∗ even if bisimilarity is not the chosen equivalence · trying bisimilarity first · coinductive characterisations of the chosen equivalence – To justify algebraic laws – To minimise the state space – To abstract from certain details

page 8 Coinduction in programming languages

– Bisimilarity in functional languages and OO languages [Abramsky, Ong] A major factor in the movement towards operationally-based techniques in PL semantics in the 90s

– Program analysis (see Nielson, Nielson, Hankin ’s book) Noninterference (security) properties – Verification tools: algorithms for computing gfp (for modal and temporal logics), tactics and heuristics

page 9 – Types [Tofte] ∗ type soundness ∗ coinductive types and definition by corecursion Infinite proofs in Coq [Coquand, Gimenez] ∗ recursive types (equality, subtyping, ...) A coinductive rule:

Γ, hp1,q1i∼hp2,q2i ⊢ pi ∼ qi Γ ⊢hp1,q1i∼hp2,q2i

– Recursively defined data types and domains [Fiore, Pitts]

– Databases [Buneman]

– Compiler correctness [Jones]

page 10 Towards bisimulation, or: from functions to processes

page 11 The semantics of processes:

– usually operational: (Labelled Transitions Systems, behavioural equivalences) – alternative approach could be the denotational one: a structure-preserving would map processes into elements of a given semantic domain. Problem: it has often proved very hard to find appropriate semantic domains for these languages

page 12 Processes?

We can think of sequential computations as mathematical objects, namely functions.

Concurrent program are not functions, but processes. But what is a process?

No universally-accepted mathematical answer.

Hence we do not find in mathematics tools/concepts for the denotational semantics of concurrent languages, at least not as successful as those for the sequential ones.

page 13 Processes are not functions

A sequential imperative language can be viewed as a function from states to states.

These two programs denote the same function from states to states:

X := 2 and X := 1; X := X + 1

But now take a context with parallelism, such as [·] | X := 2. The program

X := 2 | X := 2 always terminates with X = 2. This is not true (why?) for

( X := 1; X := X +1) | X := 2

Therefore: Viewing processes as functions gives us a notion of equivalence that is not a congruence. In other words, such a semantics of processes as functions would not be compositional. page 14 Furthermore:

A concurrent program may not terminate, and yet perform meaningful computations (examples: an operating system, the controllers of a nuclear station or of a railway system). In sequential languages programs that do not terminate are undesirable; they are ‘wrong’.

The behaviour of a concurrent program can be non-deterministic. Example: ( X := 1; X := X +1) | X := 2 In a functional approach, non-determinism can be dealt with using powersets and powerdomains.

This works for pure non-determinism, as in λx. (3 ⊕ 5)

But not for parallelism.

page 15 What is a process? When are two processes behaviourally equivalent?

These are basic, fundamental, questions; they have been at the core of the research in concurrency theory for the past 30 years. (They are still so today, although remarkable progress has been made)

Fundamental for a model or a language on top of which we want to make proofs ...

We shall approach these questions from a simple case, in which interactions among processes are just synchronisations, without exchange of values.

page 16 Interaction

In the example at page 14

X := 2 and X := 1; X := X + 1 should be distinguished because they interact in a different way with the memory.

Computation is interaction. Examples: access to a memory cell, interrogating a data base, selecting a programme in a washing machine, ....

The participants of an interaction are processes (a cell, a data base, a washing machine, ...)

The behaviour of a process should tell us when and how a process can interact with its environment

page 17 How to represent interaction: labelled transition systems Definition 1 A labeled transition system (LTS) is a triple (P, Act, T ) where

– P is the set of states, or processes; – Act is the set of actions; (NB: can be infinite) – T ⊆ (P, Act, P) is the transition relation.

µ We write P −→ P ′ if (P,µ,P ′) ∈T . Meaning: process P accepts an interaction with the environment where P performs action µ and then becomes process P ′.

′ P is a derivative of P if there are P1,...,Pn,µ1,...,µn s.t. µ1 µn ′ P −→ P1 ... −→ Pn and Pn = P .

page 18 Example

A vending machine, capable of dispensing tea or coffee for 1 coin (1c).

The behaviour of the machine is what we can observe, by interacting with the machine. We can represent such a behaviour as an LTS:

tea s collect−tea 5 3

Õ 1c / s1 / s2 collect−coffee Y

% coffee s4

( where s1 is the initial state)

page 19 Other examples of LTS

(we omit the name of the states)

a

# = a {{= c {{ b {{ {{

CC CC CC CC a ! / b

page 20 Equivalence of processes

An LTS tells us what is the behaviour of processes. When should two behaviours be considered equal? ie, what does it mean that two processes are equivalent?

Two processes should be equivalent if we cannot distinguish them by interacting with them.

Example (where indicates the processes we are interested in):

a b

# a # = / c b c a

This shows that graph isomorphism as behavioural equivalence is too strong.

A natural alternative (from automata theory): trace equivalence.

page 21 Examples of trace-equivalent processes:

d b a - , ii = b 3 iiii iiii iiii iiii iiii d Ø a tiii U / j UUUU c UUUU V UUUU e UUUU UUUU UUUU $ 1 2 a 2 e c

a b / / = = a {{= {{ {{ {{ C CC CC CC a C! / b

These equalities are OK on automata. But they are not on processes: in one case interacting with the machine can lead to deadlock!

page 22 For instance, you would not consider these two vending machines ‘the same’:

tea collect−tea 1c - , ii collect−tea 3 iiii iiii iiii iiii iiii tea Ø 1c tiii / U / / − j UUUU collect coffee UUUU V UUUUcoffee UUUU UUUU UUUU $ 1 2 1c coffee collect−coffee

Trace equivalence (also called language equivalence) is still important in concurrency.

Examples: confluent processes; liveness properties such as termination

page 23 These examples suggest that the notion of equivalence we seek:

– should imply a tighter correspondence between transitions than language equivalence, – should be based on the informations that the transitions convey, and not on the shape of the diagrams.

Intuitively, what does it mean for an observer that two machines are equivalent?

If you do something with one machine, you must be able to the same with the other, and on the two states which the machines evolve to the same is again true.

This is the idea of equivalence that we are going to formalise; it is called bisimilarity.

page 24 Bisimulation and bisimilarity

We define bisimulation on a single LTS, because: the union of two LTSs is an LTS; we will often want to compare derivatives of the same process.

Definition 2 (bisimulation) A relation R on the states of an LTS is a bisimulation if whenever P R Q:

µ µ 1. ∀µ,P ′ s.t. P −→ P ′, then ∃Q′ such that Q −→ Q′ and P ′ R Q′; µ µ 2. ∀µ, Q′ s.t. Q −→ Q′, then ∃P ′ such that P −→ P ′ and P ′ R Q′.

P and Q are bisimilar, written P ∼ Q, if P R Q, for some bisimulation R.

P R Q The bisimulation diagram: µ ↓ µ ↓ P ′ R Q′

page 25 Exercises

To prove P ∼ Q you have to find a bisimulation R with P R Q (the bisimulation proof method) Exercise 1 Prove that the processes at page 21 are bisimilar. Are the processes at page 22 bisimilar? Proposition 1 1. ∼ is an equivalence relation, i.e. the following hold: 1.1. P ∼ P (reflexivity) 1.2. P ∼ Q implies Q ∼ P (symmetry) 1.3. P ∼ Q and Q ∼ R imply P ∼ R (transitivity); 2. ∼ itself is a bisimulation.

page 26 Proposition 1(2) suggests an alternative definition of ∼: Proposition 2 ∼ is the largest relation among the states of the LTS such that P ∼ Q implies:

µ µ 1. ∀µ,P ′ s.t. P −→ P ′, then ∃Q′ such that Q −→ Q′ and P ′ ∼ Q′; µ µ 2. ∀µ, Q′ s.t. Q −→ Q′, then ∃P ′ such that P −→ P ′ and P ′ ∼ Q′. Exercise 2 Prove Propositions 1-2 (for 1(2) you have to show that

∪{R | R is a bisimulation } is a bisimulation).

page 27 We write P ∼R∼ Q if there are P ′, Q′ s.t. P ∼ P ′, P ′ R Q′, and Q′ ∼ Q (and alike for similar notations). Definition 3 (bisimulation up-to ∼) A relation R on the states of an LTS is a bisimulation up-to ∼ if P R Q implies:

µ µ 1. if P −→ P ′, then there is Q′ such that Q −→ Q′ and P ′ ∼R∼ Q′. µ µ 2. if Q −→ Q′, then there is P ′ such that P −→ P ′ and P ′ ∼R∼ Q′. Exercise 3 If R is a bisimulation up-to ∼ then R ⊆∼. (Hint: prove that ∼R∼ is a bisimulation.)

page 28 Definition 4 (simulation) A relation R on the states of an LTS is a simulation if P R Q implies:

µ µ 1. if P −→ P ′, then there is Q′ such that Q −→ Q′ and P ′ R Q′.

P is simulated by Q, written P < Q, if P R Q, for some simulation R. Exercise* 1 Does P ∼ Q imply P < Q and Q

page 29 Exercise 4 Let µ+ range over non-empty sequences of actions. Consider the following definition of bisimulation: A relation R on the states of an LTS is a bisimulation if P R Q implies: µ+ µ+ 1. if P −→ P ′, then there is Q′ such that Q −→ Q′ and P ′ R Q′;

µ+ µ+ 2. if Q −→ Q′, then there is P ′ such that P −→ P ′ and P ′ R Q′. Prove that the definition above is the same as Definition 2.

page 30 Bisimulation has been introduced in Computer Science by Park (1981) and made popular by Milner.

Bisimulation is a robust notion: characterisations of bisimulation have been given in terms of non-well-founded-sets, modal logic, final coalgebras, open maps in category theory, etc.

But the most important feature of bisimulation is the associated coinductive proof technique.

page 31 Induction and coinduction

page 32 coinductive definitions and coinductive proofs

Bisimulation:

A relation R s.t. P R Q α α   P ′ R Q′

Bisimilarity (∼): ∪ {R | R is a bisimulation }

Hence:

x R y R is a bisimulation (bisimulation proof method) x ∼ y

page 33 – The definition of ∼ seems circular (From Proposition 2) ∼ is the largest relation such that P ∼ Q implies: µ (1) ∀µ,P ′ s.t. P −→ P ′, then µ ∃Q′ such that Q −→ Q′ and P ′ ∼ Q′; µ (2) ∀µ, Q′ s.t. Q −→ Q′, then µ ∃P ′ such that P −→ P ′ and P ′ ∼ Q′. does it make sense? – We claimed that we can prove (P, Q) ∈∼ by showing that (P, Q) ∈R and R is a bisimulation relation, that is a relation that satisfies the same clauses as ∼. Does such a proof technique make sense? – Contrast all this with the usual, familiar inductive definitions and inductive proofs. – The definition of ∼, and the associated proof technique are examples of a coinductive definition and of a coinductive proof technique.

page 34 Bisimulation and coinduction: what are we talking about? Has co-induction anything to do with induction?

page 35 Examples of induction and coinduction

page 36 An inductive definition: finite lists over a set A

ℓ ∈L a ∈ A nil ∈L hai • ℓ ∈L

Inductively, the rules are read in the “forward” direction

3 equivalent readings:

– The objects obtained with a finite proof from the rules – (iterative construction) Start from ∅; add all objects as in the axiom; repeat adding objects following the inference rule forwards – The smallest set closed forward under these rules

– nil ∈ T A set T is closed forward if: – ℓ ∈ T implies hai • ℓ ∈ T , for all a ∈ A

Inductive proof technique for lists: Let T be a predicate (a property) on lists. To prove that T holds on all lists, prove that T is closed forward page 37 A coinductive definition: finite and infinite lists over A

ℓ ∈L a ∈ A nil ∈L hai • ℓ ∈L

Coinductively, the rules are read in the “backward” direction

3 equivalent readings:

– The objects that are conclusion of a finite or infinite proof from the rules – X = all (finite and infinite) strings of A ∪ {nil, h, i, •} Start from X (all strings) and keep removing strings, following the backward-closure – The largest set closed backward under these rules

– either t = nil A set T is closed backward if ∀t ∈ T : – or t = hai • ℓ, for some ℓ ∈ T and a ∈ A

Coinduction proof method: to prove that ℓ is a finite or infinite list, find a set D with ℓ ∈ D and D closed backwards page 38 An example of an inductive definition: finite traces

µ A process P is stopped if it cannot do any transitions (i.e., P −→6 for all µ).

P has a a finite trace, written P ⇂, if P has a finite sequence of transitions that lead to a stopped process

⇂ has a natural inductive definition:

µ P stopped P −→ P ′ P ′ ⇂ P ⇂ P ⇂

⇂ is the smallest set of processes that is closed forward under the rules; i.e., the smallest subset S of Pr (all processes) such that

– all stopped processes are in S; µ – if there is µ such that P −→ P ′ for some P ′ ∈ S, then also P ∈ S.

Constructively: you can start from ∅ and keep adding processes, following the forward-closure, until no more processes can be added

page 39 An example of a coinductive definition: ω-traces

P has an ω-trace under µ, written P ↾µ, if it is possible to observe an infinite sequence of µ-transitions starting from P .

↾µ has a natural coinductive definition in terms of rules:

µ ′ ′ P −→ P P ↾µ P ↾µ

↾µ is the largest predicate on processes that is closed backward under the rule; i.e., the largest subset S of processes such that if P ∈ S then

µ – there is P ′ ∈ S such that P −→ P ′.

Constructively: you can start from Pr (all processes) and keep removing processes, following the backward-closure, until no more processes can be removed

page 40 Hence: to prove that a given process P has an ω-trace under µ it suffices to find some T ⊆ Pr that is closed backward and with P ∈ T ;

This is the coinduction proof principle, for ω-traces.

What is the smallest predicate closed backwards?

a - Example: P1 m P2 a b b   P3 P4 = a

def The set S1 = {P1,P2} is closed backward under the rules for ↾a, hence P1 ↾a and P2 ↾a hold.

Other such sets are S2 = {P4} and S1 ∪ S2.

Note that on the processes P1 and P2 both ⇂ and ↾a hold.

page 41 An inductive definition: convergence, in λ-calculus

Set of λ-terms (an inductive def!) e ::= x | λx. e | e1(e2)

Convergence to a value (⇓), on closed λ-terms, call-by-name:

e ′ e1 ⇓ λx. e0 e0{ 2/x} ⇓ e ′ λx. e ⇓ λx. e e1(e2) ⇓ e

As before, ⇓ can be read in terms of finite proofs, limit of an iterative construction, or smallest set closed forward under these rules

⇓ is the smallest relation S on (closed) λ-terms s.t. – λx. e C λx. e for all abstractions, e ′ ′ – if e1 C λx. e0 and e0{ 2/x} C e then also e1(e2) C e .

page 42 A coinductive definition: divergence in the λ-calculus

Divergence (⇑), on closed λ-terms, call-by-name:

e e1 ⇑ e1 ⇓ λx. e0 e0{ 2/x} ⇑ e1(e2) ⇑ e1(e2) ⇑

The ‘closed backward’ reading:

⇑ is the largest predicate on λ-terms that is closed backward under these rules; i.e., the largest subset D of λ-terms s.t. if e ∈ D then – either e = e1(e2) and e1 ∈ D, e – or e = e1(e2), e1 ⇓ λx. e0 and e0{ 2/x}∈ D.

Coinduction proof technique : to prove e ⇑, find E ⊆ Λ closed backward and with e ∈ E

What is the smallest predicate closed backwards?

page 43 The duality induction/coinduction

page 44 Constructors/destructors

– An inductive definition tells us what are the constructors for generating all the elements (cf: the forward closure). – A coinductive definition tells us what are the destructors for decomposing the elements (cf: the backward closure).

The destructors show what we can observe of the elements (think of the elements as black boxes; the destructors tell us what we can do with them; this is clear in the case of infinite lists).

page 45 Definitions given by means of rules

– if the definition is inductive, we look for the smallest universe in which such rules live. – if it is coinductive, we look for the largest universe. – the inductive proof principle allows us to infer that the inductive set is included in a set (ie, has a given property) by proving that the set satisfies the forward closure; – the coinductive proof principle allows us to infer that a set is included in the coinductive set by proving that the given set satisfies the backward closure.

page 46 Forward and backward closures

A set T being closed forward intuitively means that

for each rule whose premise is satisfied in T there is an element of T such that the element is the conclusion of the rule.

In the backward closure for T , the order between the two quantified entities is swapped:

for each element of T there is a rule whose premise is satisfied in T such that the element is the conclusion of the rule.

In fixed-point theory, the duality between forward and backward closure will the duality between pre-fixed points and post-fixed points.

page 47 Congruences vs bisimulation equivalences

Congruence: an equivalence relation that respects the constructors of a language

Example (λ-calculus)

Consider the following rules, acting on pairs of (open) λ-terms:

(e1, e2) (e1, e2) (e1, e2) (x, x) (e e1, e e2) (e1 e, e2 e) (λx. e1, λx. e2)

A congruence: an equivalence relation closed forward under the rules

The smallest such relation is syntactic equality: the identity relation

In other words, congruence rules express syntactic constraints

page 48 Bisimulation equivalence: an equivalence relation that respects the destructors

Example (λ-calculus, call-by-name)

Consider the following rules

e1 ⇑ e2 ⇑ e1, e2 closed (e1, e2) ′ ′ ′ e′′ ′ e′′ e1 ⇓ λx. e1 e2 ⇓ λx. e2 ∪e′′ {(e1{ /x}, e2{ /x})} ′′ e1, e2, e closed (e1, e2)

∪σ {(e1σ, e2σ)} e1, e2 non closed, σ closing substitution for e1, e2 (e1, e2)

A bisimulation equivalence: an equivalence relation closed backward under the rules

The largest such relation is semantic equality: bisimilarity

In other words, the bisimulation rules express semantic constraints page 49 Substitutive relations vs bisimulations

In the duality between congruences and bisimulation equivalences, the equivalence requirement is not necessary.

Leave it aside, we obtaining the duality between bisimulations and substitutive relations

a relation is substitutive if whenever s and t are related, then any term t′ must be related to a term s′ obtained from t′ by replacing occurrences of t with s

page 50 Bisimilarity is a congruence

To be useful, a bisimilarity on a term language should be a congruence

This leads to proofs where inductive and coinductive techniques are intertwined

In certain languages, for instance higher-order languages, such proofs may be hard, and how to best combine induction and coinduction remains a research topic.

What makes the combination delicate is that the rules on which congruence and bisimulation are defined — the rules for syntactic and semantic equality — are different.

page 51 The duality inductive definition coinductive definition induction proof principle coinduction proof principle constructors observations smallest universe largest universe least fixed point greatest fixed point pre-fixed points post-fixed point ’forward closure’ in rules ’backward closure’ in rules congruence bisimulation equivalence substitutive relation bisimulation identity bisimilarity syntax semantics

page 52 In what sense are ∼, ↾µ, ⇂, etc. fixed-points?

What is exactly the coinduction proof technique?

What is the mathematical sense of the duality between induction and coinduction ?

What follows answers these questions. It is a simple application of fixed-point theory on complete lattices.

To make things simpler, we work on powersets and fixed-point theory. (It is possible to be more general, working with universal algebras or category theory.)

page 53 Complete lattices

The important example of complete lattice for us: powersets.

For a given set X, the powerset of X, written ℘(X), is

℘(X) =def {T | T ⊆ X}

℘(X) is a complete lattice because:

– it comes with a relation ⊆ (set inclusion) that is reflexive, transitive, and antisymmetric. – it is closed under union and intersection

(∪ and ∩ give least upper bounds and greatest lower bounds for ⊆)

A (or poset): a non-empty set with a relation on its elements that is reflexive, transitive, and antisymmetric.

A complete lattice: a poset with all joins (least upper bounds) and (hence) also all meets (greatest lower bounds).

page 54 Fixed-point Theorem

NB: Complete lattices are “dualisable” structures: reverse the arrows and you get another complete lattice. Similarly, statements on complete lattices can be dualised.

For simplicity, we will focus on complete lattices produced by the powerset construction. But all statements can be generalised to arbitrary complete lattices

An endofunction F is monotone if T ⊆ T ′ implies F (T ) ⊆ F (T ′)

Theorem [Fixed-point Theorem] If F : ℘(X) → ℘(X) is monotone, then

lfp(F )= {T | F (T ) ⊆ T } \ gfp(F )= {T | T ⊆ F (T )} (the meet of the pre-fixed points,[ the join of the post-fixed points)

In fact, the theorem tells us more: the set of fixed points is itself a complete lattice, and the same for the sets of pre-fixed points and post-fixed points. page 55 Sets coinductively and inductively defined by F

Given a complete lattice produced by the powerset construction, and an endofunction F on it, the sets:

def Fcoind = {x | x ⊆ F (x)} [ def Find = {x | F (x) ⊆ x} are the sets coinductively defined\ by F , and inductively defined by F .

page 56 Induction and coinduction proof principles

We immeditately derive:

if x ⊆ F (x) then x ⊆ Fcoind (coinduction proof principle) if F (x) ⊆ x then Find ⊆ x (induction proof principle)

By the Fixed-point Theorem: when F monotone, Fcoind is the greatest fixed point of F , and dually for Find.

Hence for monotone functions we can rephrase the principles thus:

Induction and coinduction proof principles, for monotone functions:

if F (x) ≤ x then lfp(F ) ≤ x if x ≤ F (x) then x ≤ gfp(F )

page 57 We actually know more, from Fixed-point theory.

Eg: in the hypothesis of the Fixed-point Theorem, the set of post-fixed point is a complete lattice.

Thus the join of post-fixed points is itself a post-fixed point, and dually so.

– Inductive definitions give us lfp’s (precisely: an inductive definition tells us how to construct the lfp). coinductive definitions give us gfp’s. – On inductively-defined sets the inductive proof principle is the same as the familiar induction technique, and similarly the coinductive proof principles give us the desired coinductive techniques

page 58 Definitions by means of rules

Given a set X,a ground rule on X is a pair (S, x) with S ⊆ X and x ∈ X

We can write a rule (S, x) as

x1 ...xn ... x where {x1,...,xn,...} = S.

A set R of rules on X yields a monotone endofunction ΦR, called the functional of R (or rule functional), on the complete lattice ℘(X), where

′ ′ ΦR(T )= {x | (T , x) ∈R for some T ⊆ T }

Exercise Show that ΦR above is indeed monotone. Then show that every monotone operator on the complete lattice ℘(X) can be expressed as the functional of some set of rules.

page 59 By the Fixed-point Theorem there are least fixed point and greatest fixed point, lfp(ΦR) and gfp(ΦR), obtained via the join and meet in the theorem.

They are indeed called the sets inductively and coinductively defined by the rules.

We also get, from the induction and coinduction principles:

if T ⊆ ΦR(T ) then T ⊆ gfp(ΦR)

if ΦR(T ) ⊆ T then lfp(ΦR) ⊆ T

Useful to spell out concretely what all this means, beginning with the more familiar induction.

page 60 A set T being a pre-fixed point of ΦR means that:

for all rules (S, x) ∈R, if S ⊆ T , then also x ∈ T .

That is:

(i) the conclusions of each axiom is in T ; (ii) each rule whose premises are in T has also the conclusion in T .

This is precisely the ‘forward’ closure.

Fixed-point Theory tells us that the the least fixed-point is the least pre-fixed point.

The induction proof principle, then, reads as follows. If you want to prove that all the elements of the set inductively defined by the rules have a property T , then prove that T is a pre-fixed point of ΦR

This is the familiar way of reasoning inductively on rules. The assumption “S ⊆ T ” is the inductive hypothesis. The base of the induction is given by the axioms of R, where the set S is empty. page 61 Now the case of coinduction. A set T being a post-fixed of ΦR means that

for all t ∈ T there is a rule (S, t) ∈R with S ⊆ T

This is precisely the ‘backward’ closure

Thus the greatest fixed point is the greatest set closed backward.

The coinduction proof principle reads thus: That is: if you want to show x is in the set coinductively defined by the rules, then you must find T with x ∈ T and T post-fixed point of ΦR

In the literature, the principles in this and previous slide are sometimes referred to as the principles of rule induction and of rule coinduction.

Exercise Let R be a set of ground rules, and suppose each rule has a non-empty premise. Show that lfp(ΦR)= ∅.

page 62 Examples finite traces, revised

µ P stopped P −→ P ′ P ′ ⇂ P ⇂ P ⇂

As ground rules, these become:

def R⇂ = {(∅,P ) | P is stopped} µ {({P ′},P ) | P −→ P ′ for some µ} S This yields the following functional:

def ′ ′ µ ′ ΦR⇂(T ) = {P | P is stopped, or there are P ,µ with P ∈ T and P −→ P }

The sets ‘closed forward’ are the pre-fixed points of ΦR⇂. Thus the smallest set closed forward and the associated proof technique become examples of inductively defined set and of induction proof principle. page 63 Examples ω-traces, revised

µ ′ ′ P −→ P P ↾µ P ↾µ

As ground rules, this yields:

def ′ µ ′ R↾µ = {({P },P ) | P −→ P } .

This yields the following functional:

µ def there is ′ and ′ ΦR↾µ(T ) = {P | P ∈ T P −→ P }

Thus the sets ‘closed backward’ are the post-fixed points of , and the ΦR↾µ largest set closed backward is the greatest fixed point of ; ΦR↾µ Similarly, the proof technique for ω-traces is derived from the coinduction proof principle.

page 64 Example: the λ-calculus

In the case of ⇓, the rules manipulate pairs of closed λ-terms, thus they act 0 0 on the set Λ × Λ . The rule functional for ⇓, written Φ⇓, is

def ′ ′ ′′ ′′ Φ⇓(T ) = {(e, e ) | e = e = λx. e , for some e } ′ {(e, e ) | e = e1 e2 and ∃ e such that (e , λx. e ) ∈ T and (e {e2/x}, e′) ∈ T } . S 0 1 0 0

In the case of ⇑, the rules are on Λ0. The rule functional for ⇑ is

def Φ⇑(T ) = {e1 e2 | e1 ∈ T, } e {e1 e2 | e1 ⇓ λx. e0 and e0{ 2/x}∈ T }. S

page 65 Example: the finite lists

Let F be this function (from sets to sets):

F (T ) =def {nil} ∪ {cons(a, s) | a ∈ A, s ∈ T }

F is monotone, and finLists = lfp(F ). (i.e., finLists is the smallest set solution to the equation L = nil + cons(A, L)).

From the induction and coinduction principles, we infer: Suppose T ⊆ finLists. If F (T ) ⊆ T then T ⊆ finLists (hence T = finLists).

Proving F (T ) ⊆ T requires proving

– nil ∈ T ; – ℓ ∈ finLists ∩ T implies cons(a, ℓ) ∈ T , for all a ∈ A.

This is the same as the familiar induction technique for lists

page 66 Note: F is defined the class of all sets, rather than on a powerset; the class of all sets is not a complete lattice (because of paradoxes such as Russel’s), but the constructions that we have seen for lfp and gfp of monotone functions apply.

page 67 Example: mathematical induction n The rules are : (for all n ≥ 0) 0 n + 1 We thus obtain the natural numbers as the least fixed point of a rule functional.

This characterisation justifies the common proof principle of induction on the natural numbers, called mathematical induction: if a property on the naturals holds at 0 and, whenever it holds at n, it also holds at n + 1, then the property is true for all naturals.

A variant induction on the natural numbers: the inductive step assumes the property at all numbers less than or equal to n

This corresponds to a variant presentation of the natural numbers, where the rules are: 0, 1,...,n (for all n ≥ 0) 0 n + 1

page 68 Other examples:

Structural induction, Induction on derivation proofs, Transition induction, Well-founded induction, Transfinite induction

page 69 Well-founded induction

Given a well-founded relation R on a set X, and a property T on X, to show that X ⊆ T (the property T holds at all elements of X), it suffices to prove that, for all x ∈ X: if y ∈ T for all y with y R x, then also x ∈ T . mathematical induction, structural induction can be seen as special cases

Well-founded induction is indeed the natural generalisation of mathematical induction to sets and, as such, it is frequent to find it in Mathematics and Computer Science.

Example: proof of a property reasoning on the lexicographical order on pairs of natural numbers

page 70 We can derive well-founded induction from fixed-point theory in the same way as we did for rule induction.

In fact, we can reduce well-founded induction to rule induction taking as rules, for each x ∈ X, the pair (S, x) where S is the set {y | y R x} and R the well-founded relation.

Note that the set inductively defined by the rules is precisely X; that is, any set equipped with a well-founded relation is an inductive set.

page 71 Transfinite induction

The extension of mathematical induction to ordinals

Transfinite induction says that to prove that a property T on the ordinals holds at all ordinals, it suffices to prove, for all ordinals α: if β ∈ T for all ordinals β < α then also α ∈ T .

In proofs, this is usually split into three cases:

(i) 0 ∈ T ; (ii) for each ordinal α, if α ∈ T then also α + 1 ∈ T ; (iii) for each limit ordinal β, if α ∈T for all α < β then also β ∈ T .

page 72 Transfinite induction acts on the ordinals, which form a proper class rather than a set.

As such, we cannot derive it from the fixed-point theory presented.

However, in practice, transfinite induction is used to reason on sets, in cases where mathematical induction is not sufficient because the set has ’too many’ elements.

In these cases, in the transfinite induction each ordinal is associated to an element of the set. Then the < relation on the ordinals is a well-founded relation on a set, so that transfinite induction becomes a special case of well-founded induction on sets.

Another possibility: lifting the theory of induction to classes.

page 73 Function definitions by and corecursion

One often finds functions defined by means of systems of equations. Such definitions may follow the schema of recursion or corecursion.

Examples on the well-founded set of the natural numbers: the factorial function

f(0) = 1 f(n +1) = n × f(n)

An example of structural recursion is the function f that defines the number of λ-abstractions in a λ-term:

f(x) = 0 f(λx. e)=1+ f(e) f(e e′)= f(e)+ f(e′)

It is possible to define patterns of equations for well-founded recursion, and prove that whenever the patterns are respected the functions specified exist and are unique. The proof makes use of well-founded induction twice, to prove that such functions exist and to prove its unicity page 74 While a function defined by recursion acts on the elements of an inductive set, one defined by corecursion produces an element of a coinductive set.

An equation for a corecursive function specifies the immediate observables of the element returned by the function for instance, if the element is an infinite list, the equation should tell us specify the head of the list.

Examples are the definitions of the functions map, iterate

As in the case of recursion, so for corecursion one can produce general equation schemata, and prove that any system of equations satisfying the schemata defines a unique function (or unique functions, in case of mutually recursive equations)

page 75 Enhancements of the principles

Theorem Let F be a monotone endofunction on a complete lattice L, and y a post-fixed point of F (i.e., y ≤ F (y)). Then

gfp(F )= {x | x ≤ F (x ∪ y)} [ principle of coinduction up-to ∪:

Let F be a monotone endofunction on a complete lattice, and suppose y ≤ F (y); then x ≤ F (x ∪ y) implies x ≤ gfp(F ).

page 76 Theorem Let F be a monotone endofunction on a complete lattice L, and • : L × L → L an associative function such that:

1. for all x, y, x′, y′ ∈ L, whenever both x ≤ F (x′) and y ≤ F (y′), then x • y ≤ F (x′ • y′); 2. for all x with x ≤ F (x) we have both x ≤ x • gfp(F ) and x ≤ gfp(F ) • x.

Then gfp(F )= {x | x ≤ F (gfp(F ) • x • gfp(F ))} [ principle of coinduction up-to gfp:

Let F be a monotone endofunction on a complete lattice L, and • : L × L → L an associative function for which the assumptions (1) and (2) of Theorem above hold; then x ≤ F (gfp(F ) • x • gfp(F )) implies x ≤ gfp(F ).

page 77 Equality on coinductive data types

On infinite lists (more generally coinductively defined sets) proving equality may be delicate (they can be “infinite objects”, hence one cannot proceed inductively, eg on their depth)

We can prove equalities adapting the idea of bisimulation.

We show this for FinInfListsA

The coinductive definition tells us what can be observed

We can make this explicit in FinInfListsA defining an LTS on top of the lists: a hai • s −→ s

Lemma 1 For s, t ∈ FinInfListsA, it holds that s = t if and only if s ∼ t.

page 78 Example

map f nil = nil map f (hai • s) = hf(a)i • map f s

iterate f a = hai • iterate f f(a)

Thus iterate f a builds the infinite list

hai•hf(a)i•hf(f(a))i • ...

Show that, for all a ∈ A:

map f (iterate f a)= iterate f f(a)

page 79 Proof

R =def {(hai • map f (iterate f a), hai • iterate f f(a)) | a ∈ A} is a bisimulation

Let (P, Q) ∈R, for P =def hai • map f (iterate f a) Q =def hai • iterate f f(a) We have a def P −→ map f (iterate f a) = P ′ a def Q −→ iterate f f(a) = Q′ Applying the definition of iterate,

Q′ = hf(a)i • iterate f f(f(a)) =def Q′′

Similarly, P ′ = map f hai • (iterate f f(a)) and now, from the definition of map,

= hf(a)i • map f (iterate f f(a)) =def P ′′ page 80 We have (P ′′, Q′′) ∈R (as f(a) ∈ A). Moreover, since by Lemma 1 = ⊆∼, also P ′ ∼ P ′′ and Q′ ∼ Q′′.

a a Summarising, we have showed that P −→ P ′′ and Q −→ Q′′ and P ′′ R Q′′. This concludes the proof that R is a bisimulation

page 81 Continuity and cocontinuity

Constructive characterisations of least fixed point’s and greatest fixed point’s are obtained via another important theorem of fixed-point theory Definition 5 An endofunction on a complete lattice is:

– continuous if for all sequences T0,T1 ... of increasing points in the lattice (i.e.,

Ti ⊆ Ti+1, for i ≥ 0) we have F ( i Ti)= i F (Ti).

– cocontinuous if for all sequences TS0,T1 ...Sof decreasing points in the lattice (i.e., Ti+1 ⊆ Ti, for i ≥ 0) we have F ( i Ti)= i F (Ti).

For an endofunction F on a completeT lattice, FTn(x) indicates the n-th iteration of F starting from the point x:

F 0(x) =def x F n+1(x) =def F (F n(x))

Then we set: ∩ω def n F (x) = n≥0 F (x) ∪ω def n F (x) = n≥0 F (x) T page 82 S Theorem 1 For a cocontinuous endofunction F on a complete lattice we have:

gfp(F )= F ∩ω(⊤).

Dually, if F is continuous:

lfp(F )= F ∪ω(⊥) where ⊤ and ⊥ are the top and bottom elements of the lattice

page 83 If F is not cocontinuous, and only monotone, we only have gfp(F ) ≤ F ∩ω(⊤). The converse need not hold, as the following exercise shows. Exercise 5 Let L be the set of negative integers plus the elements −ω and −(ω + 1), with the expected ordering −n ≥−ω ≥−(ω + 1), for all n. Let now F be the following function on L:

F (−n) = −(n + 1) F (−ω) = −(ω + 1) F (−(ω +1)) = −(ω + 1)

Show that F is monotone but not cocontinuous, and we have F ∩ω(⊤)= −ω and gfp(F )= −(ω + 1) 

However, if it happens that F ∩ω(⊤) is a fixed point, then we are sure that it is indeed the greatest fixed point. Having only monotonicity, to reach the greatest fixed point using induction, we need to iterate over the transfinite ordinals. The dual statement, for continuity and least fixed points, also holds.

page 84 Theorem 2 Let F be a monotone endofunction on a complete lattice L, and define F λ(⊤), where λ is an ordinal, as follows:

F 0(⊤) =def ⊤ λ def β F (⊤) = F ( β<λ F (⊤)) for λ> 0 T ∞ def λ ∞ Define also F (⊤) = λ F (⊤). Then F (⊤)= gfp(F ). T As the ordinals are linearly ordered, and each ordinal is either the successor of another ordinal or the least upper bound of all its predecessors, the above definition can also be given thus:

F 0(⊤) =def ⊤ F λ+1(⊤) =def F (F λ(⊤)) for successor ordinals λ def β F (⊤) = F ( β<λ F (⊤)) for limit ordinals T Thus, on the naturals, the definitions of the F n used in Theorem 1 coincides with those used in Theorem 2, which explains why the notation is the same.

page 85 Continuity and cocontinuity, for rules

The functional given by a set of rules need not be continuous or cocontinuous. As an example, consider a rule

a1 ... an ... a and call φ is the associated functional. Let Tn = {a1,...,an}. We have a ∈ φ( n Tn), but a 6∈ n φ(Tn), which proves that φ is not continuous. We can recover continuity and cocontinuity for rule functionals adding some S S conditions.

The duality is less obvious, and needs some care. Definition 6 A set R of rules is finite in the premises , briefly FP, if for each rule (S, x) ∈R the premise set S is finite. 

Exercise 6 Show that if the set of rules R is FP, then ΦR is continuous; conclude ∪ω that lfp(ΦR) = ΦR (∅). 

page 86 the statement of Exercise 6 does not hold for cocontinuity. Asa counterexample, take X = {b} ∪ {a1,...,an,...}, and the set of rules ({ai},b), for each i, and let Φ be the corresponding rule functional. Thus Φ(T )= {b} if there is i with ai ∈ T , otherwise Φ(T )= ∅. Consider now the sequence of decreasing sets T0,...,Tn,..., where

def Ti = {aj | j ≥ i}

We have Φ( n Tn)= ∅, but n Φ(Tn)= {b}. To obtain cocontinuityT we needT some finiteness conditions on the conclusions of the rules (rather than on the premises as for continuity). Definition 7 A set of rules R is finite in the conclusions , briefly FC, if for each x, the set {S | (S, x) ∈ R} is finite (i.e., there is only a finite number of rules whose conclusion is x; note that, by contrast, each premise set S may itself be infinite). 

Theorem 3 If a set of rules R is FC, then ΦR is cocontinuous.  Exercise 7 Prove Theorem 3. 

∩ω Corollary 1 If a set of rules R on X is FC, then gfp(ΦR) = Φ (X).  R page 87 Without FC, and therefore without cocontinuity, we have nevertheless ∩ω gfp(ΦR) ⊆ ΦR (X). With the FP or FC hypothesis we are thus able of applying the Continuity/Cocontinuity Theorem 1. For FP and continuity, the theorem tells us that given some rules R, the set inductively defined by R can be ∪ω obtained as ΦR (∅), that is, the limit of the increasing sequence of sets

∅, ΦR(∅), ΦR(ΦR(∅)), ΦR(ΦR(ΦR(∅))),... .

This means that we construct the inductive set starting with the empty set, adding to it the conclusions of the axioms in R (ΦR(∅)), and then repeatedly adding elements following the inference rules in R in a ’forward’ manner. This corresponds to the usual constructive way of interpreting inductively a bunch of rules

As usual, the case for coinductively defined sets is dual.

page 88 Bisimulation as a fixed-point

Consider the function F∼ : ℘(Pr × Pr) → ℘(Pr × Pr) so defined.

F∼(R) is the set of all pairs (P, Q) s.t.:

µ µ 1. ∀µ,P ′ s.t. P −→ P ′, then ∃Q′ such that Q −→ Q′ and P ′ R Q′; µ µ 2. ∀µ, Q′ s.t. Q −→ Q′, then ∃P ′ such that P −→ P ′ and P ′ R Q′.

We have:

– F∼ is monotone;

– R is a bisimulation iff R⊆ F∼(R).

– ∼ = gfp(F∼);

page 89 Stratification of bisimilarity

Continuity, operationally:

Consider the following sequence of equivalences, inductively defined:

def ∼0 = Pr × Pr

def P ∼n+1 Q = :

µ ′ ′ µ ′ ′ ′ 1. if P −→ P , then there is Q such that Q −→ Q and P ∼n Q . µ ′ ′ µ ′ ′ ′ 2. if Q −→ Q , then there is P such that P −→ P and P ∼n Q .

Then set:

def ∼ω = n ∼n We have,T for all 0 ≤ n < ω:

n ω ∩ω ∼n = F∼(Pr), and ∼ = F∼ (Pr)

page 90 Theorem 4 On processes that are image-finite: ∼=∼ω

Image-finite processes : each reachable state can only perform a finite set of transitions.

Abbreviation: an =def a. ...a. 0 (n times)

n Example: 1≤i≤n a (note: n is fixed)

P def n Non-example: P = 1≤i<ω a In the theorem, image-finitenessP is necessary:

ω ω P ∼ω P + a but P 6∼ P + a

page 91 The stratification of bisimilarity given by continuity is also the basis for algorithms for mechanically checking bisimilarity and for minimisation of the state-space of a process

These algorithms work on processes that are finite-state (ie, each process has only a finite number of possible derivaties)

They proceed by progressively refining a partition of all processes

In the initial partition, all processes are in the same set

Bisimulation: P-complete [Alvarez, Balcazar, Gabarro, Santha, ’91 ]

With m transitions, n states: O(m log n) time and O(m + n) space [Paige, Tarjan, ’87]

Trace equivalence, testing: PSPACE-complete [Kannelakis, Smolka, ’90; Huynh, Tian, 95 ]

page 92 Some simple process operators (from CCS)

Nil: a terminated process, no transitions

Prefixing Action sequentialisation

PRE µ µ. P −→ P

page 93 Parallel composition

µ ′ P1 −→ P PARL 1 µ ′ P1 | P2 −→ P1 | P2

µ ′ P2 −→ P PARR 2 µ ′ P1 | P2 −→ P1 | P2

µ ′ µ ′ P1 −→ P P2 −→ P COM 1 2 τ ′ ′ P1 | P2 −→ P1 | P2

As an example, the process P =def (a. 0 | b. 0) | a. 0 has the transitions

a τ P −→ (0 | b. 0) | a. 0 P −→ (0 | b. 0) | 0 b a P −→ (a. 0 | 0) | a. 0 P −→ (a. 0 | b. 0) | 0

page 94 Choice µ ′ P1 −→ P SUML 1 µ ′ P1 + P2 −→ P1 µ ′ P2 −→ P SUMR 2 µ ′ P1 + P2 −→ P2 def As an example, the process P = (a. Q1 | a. Q2)+ b. R has the transitions

τ a P −→ Q1 | Q2 P −→ a. Q1 | Q2 a b P −→ Q1 | a. Q2 P −→ R

Constants (Recursive process definitions)

Each constant K has a behaviour specified by a set of transitions of the µ form K −→ P .

a Example: K −→ K

page 95 A specification and an implementation of a counter

Take constants Countern, for n ≥ 0, with transitions

up Counter0 −→ Counter1 and, for n> 0,

up down Countern −→ Countern+1 Countern −→ Countern−1 .

The initial state is Counter0

An implementation of the counter in term of a constant C with transition

up C −→ C | down. 0 .

page 96 Proof

def n 0 R = {(C | Π1 down. , Countern) | n ≥ 0} , is a bisimulation up-to ∼

n 0 Take (C | Π1 down. , Countern) in R. n 0 µ Suppose C | Π1 down. −→ P .

By inspecting the inference rules for parallel composition: µ can only be either up or down.

n 0 µ = up. the transition from C | Π1 down. originates from C, which performs up 0 n+1 0 the transition C −→ C | down. , and P = C | Π1 down. . up ′ Process Countern can answer Countern −→ Countern+1. For P = P and Q = Countern+1, this closes the diagram.

page 97 n 0 The pair being inspected: (C | Π1 down. , Countern) n 0 µ Action: C | Π1 down. −→ P

µ = down. It must be n> 0. The action must originate from one of the 0 n 0 down. components of Π1 down. , which has made the transition down down. 0 −→ 0. n 0 Therefore P = C | Π1 Pi, where exactly one Pi is and all the others are down. 0. n−1 0 we have: P ∼ C | Π1 down. . Process Countern can answer with the transition down Countern −→ Countern−1. ′ def n−1 0 This closes the diagram, for P = C | Π1 down. and def ′ Q = Countern−1, as P R Q.

n 0 The case when Countern moves first and C | Π1 down. has to answer is similar.

page 98 Weak bisimulation

page 99 Consider the processes

τ. a. 0 and a. 0

They are not strongly bisimilar.

But we do want to regard them as behaviourally equivalent! τ-transitions represent internal activities of processes, which are not visible.

(Analogy in functional languages: (λx. x)3 and 3 are semantically the same.)

Internal work (τ-transitions) should be ignored in the bisimulation game. Define:

τ (i) =⇒ as the reflexive and transitive closure of −→. µ µ (ii) =⇒ as =⇒−→=⇒ (relational composition). µb µ (iii) =⇒ is =⇒ if µ = τ; it is =⇒ otherwise.

page 100 Definition 8 (weak bisimulation, or observation equivalence) A process relation R is a weak bisimulation if P R Q implies:

µ µb 1. if P =⇒ P ′, then there is Q′ s.t. Q =⇒ Q′ and P ′ R Q′; 2. the converse of (1) on the actions from Q.

P and Q are weakly bisimilar , written P ≈ Q, if P R Q for some weak bisimulation R.

Why did we study strong bisimulation?

– ∼ is simpler to work with, and ∼⊆≈; (cf: exp. law) – the theory of ≈ is in many aspects similar to that of ∼; – the differences between ∼ and ≈ correspond to subtle points in the theory of ≈

Are the processes τ. 0 + τ. a. 0 and a. 0 weakly bisimilar ?

page 101 Examples of non-equivalence:

a + b 6≈ a + τ. b 6≈ τ. a + τ. b 6≈ a + b

Examples of equivalence:

τ. a ≈ a ≈ a + τ. a

a.(b + τ. c) ≈ a.(b + τ. c)+ a. c

These are instances of useful algebraic laws, called the τ laws: Lemma 2 1. P ≈ τ. P ; 2. τ. N + N ≈ N; 3. M + α.(N + τ. P ) ≈ M + α.(N + τ. P )+ α. P .

page 102 µ In the clauses of Definition 8, the use of =⇒ on the challenger side can be heavy.

For instance, take the CCS process K ⊜ τ.(a | K); for all n, we have K =⇒ (a |)n | K, and all these transitions have to be taken into account in the bisimulation game.

The following definition is much simpler to use (the challenger makes a single move): Definition 9 A process relation R is a weak bisimulation if P R Q implies:

µ µb 1. if P −→ P ′, then there is Q′ s.t. Q =⇒ Q′ and P ′ R Q′; 2. the converse of (1) on the actions from Q (ie, the roles of P and Q are inverted). Proposition 3 The definitions 8 and 9 of weak bisimulation coincide.

Proof A useful exercise. 

page 103 Weak bisimulations “up-to” Definition 10 (weak bisimulation up-to ∼) A process relation R is a weak bisimulation up-to ∼ if P R Q implies:

µ µb 1. if P −→ P ′, then there is Q′ s.t. Q =⇒ Q′ and P ′ ∼R∼ Q′; 2. the converse of (1) on the actions from Q. Exercise 8 If R is a weak bisimulation up-to ∼ then R ⊆≈. Definition 11 (weak bisimulation up-to ≈) A process relation R is a weak bisimulation up-to ≈ if P R Q implies:

µ µb 1. if P =⇒ P ′, then there is Q′ s.t. Q =⇒ Q′ and P ′ ≈R≈ Q′; 2. the converse of (1) on the actions from Q. Exercise 9 If R is a weak bisimulation up-to ≈ then R ⊆≈.

page 104 Enhancements of the bisimulation proof method

– The forms of “up-to” techniques we have seen are examples of enhancements of the bisimulation proof method – Such enhancements are extremely useful ∗ They are essential in π-calculus-like languages, higher-order languages – Various forms of enhancement (“up-to techniques”) exist (up-to context, up-to substitution, etc.) – They are subtle, and not well-understood yet

page 105 Example: up-to bisimilarity that fails

In Definition 10 we cannot replace ∼ with ≈ :

τ. a. 0 R 0

  a. 0 0

≈ ≈

τ. a. 0 R 0

page 106 Other equivalences

page 107 Concurrency theory: models of processes

LTS

Petri Nets

Mazurkiewikz traces

Event structures

I/O automata

page 108 Process calculi

CCS [→ π-calculus → Join ]

CSP

ACP

Additional features: real-time, probability,...

page 109 Behavioural equivalences (and preorders)

traces

bisimilarity (in various forms)

failures and testing

non-interleaving equivalences (in which parallelism cannot be reduced to non-determinism, cf. the expansion law) [causality, location-based]

Depending on the desired level of abstraction or on the tools available, an equivalence may be better than an other. van Glabbeek, in ’93, listed more than 50 forms of behavioural equivalence, today the listing would be even longer

Rob J. van Glabbeek: The Linear Time - Branching Time Spectrum II, LNCS 715, 1993

page 110 Failure equivalence

In CSP equivalence, it is intended that the observations are those obtained from all possible finite experiments with the process

A failure is a pair (µ+, A), where µ+ is a trace and A a set of actions. The failure (µ+, A) belongs to process P if

µ+ – P −→ P ′, for some P ′ τ – not P ′ −→ a – not P ′ −→, for all a ∈ A

Example: P =def a.(b. c. 0 + b. d. 0) has the following failures:

– (ǫ, A) for all A with a 6∈ A. – (a, A) for all A with b 6∈ A. – (ab, A) for all A with {c,d} 6⊆ A. – (abc, A) and (abd, A), for all A

Two processes are failure-equivalent if they possess the same failures page 111 Advantages of failure equivalence:

– the coarsest equivalence sensitive to deadlock – characterisation as testing equivalence

Advantages of bisimilarity:

– the coinductive technique – the finest reasonable behavioural equivalence for processes – robust mathematical characterisations

Failure is not preserved, for instance, by certain forms of priority

page 112 These processes are failure equivalent but not bisimilar

c b c • / • • / • / • = = b {{= a {{= {{ {{ {{ {{ a {{ {{ • / • • CC CC CC CC CC CC CC CC b ! a ! • / • • / • / • d b d

A law valid for failure but not for bisimilarity:

a.(b. P + b. Q)= a. b. P + a. b. Q

page 113 Testing

page 114 – The testing theme: Processes should be equivalent unless there is some test that can tell them apart – We first show how to capture bisimilarity this way – Then we will notice that there are other reasonable ways of defining the language of tests, and these may lead to different semantic notions. – In this section: processes are (image-finte) LTSs (ie, finitely-branching labelled trees), with labels from a given alphabet of actions Act

page 115 Bisimulation in a testing scenario

Language for testing:

T ::= SUCC | FAIL | a. T | a. T | T1 ∧ T2 | T1 ∨ T2 | ∀T | ∃T

e (a ∈ Act)

The outcomes of an experiment, testing a process P with a test T :

O(T,P ) ⊆ {⊤, ⊥}

⊤ :success

⊥ : lack of success (failure, or success is never reached)

Notation:

def a P ref(a) = P cannot perform a (ie, there is no P ′ st P −→ P ′)

page 116 Outcomes

O(SUCC,P )= ⊤

O(FAIL,P )= ⊥

{⊥} if P ref(a) O(a. T,P )= ′ a ′ ( {O(T,P ) | P −→ P } otherwise S {⊤} if P ref(a) O(a. T,P )= ′ a ′ ( {O(T,P ) | P −→ P } otherwise

⋆ O(eT1 ∧ T2,P )=SO(T1,P ) ∧ O(T1,P )

⋆ O(T1 ∨ T2,P )= O(T1,P ) ∨ O(T1,P ) {⊤} if ⊥ 6∈ O(T,P ) O(∀T,P )= {⊥} otherwise  {⊤} if ⊤ ∈ O(T,P ) O(∃T,P )= {⊥} otherwise  where ∧⋆ and ∨⋆ are the pointwise extensions of ∧ and ∨ to powersets page 117 Examples (a)

• • @ a ~~ @@ a ~~ @@ a ~~ @@  ~ • • • @ b ~~ @@ c ~~ @@ ~~ @@ b c ~   • • • •

P1 P2

For T1 = a.(b. SUCC ∧ c. SUCC), we have O(T1,P1)= {⊤} and O(T1,P2)= {⊥}

page 118 Examples (b)

• • @ a ~~ @@ a ~~ @@ ~~ @@ a ~  • • • b b   • •

P3 P4

For T3 = a. b. SUCC, we have O(T3,P3)= {⊥, ⊤} and O(T3,P4)= {⊤}

For T4 = a. b. FAIL, we have O(T4,P3)= {⊥, ⊤} and O(T4,P4)= {⊥}

e

page 119 Examples (c)

• • @ a ~~ @@ a ~~ @@ ~~ @@ a ~  • • • @ b ~~ @@ b ~~ @@ b b ~~ @@   ~ • • • • c d c d     • • • •

P5 P6

For T = ∃a. ∀b. c. SUCC, we have O(T,P5)= {⊤} and O(T,P6)= {⊥}

Exercise: define other tests that distinguish between P5 and P6.

page 120 Examples (d)

• O • oo OO oo NNN a ooo OOO a a ooo NN a ooo OOO ooo NNN ooo OOO ooo NNN ooo OOO ooo NN oo OO oo NNN • woo O' • • woo & • @ @ @ @ b ~~ @@ a a ~~ @@ a b ~~ @@ a @@ a ~~ @@ ~~ @@ ~~ @@ @@ ~~ @@ ~~ @@ ~~ @@ @@ ~ ~ ~ • • • • • • • a a   • •

P7 P8

Exercise 10 Define tests that distinguish between P7 and P8.

page 121 Note: Every test has an inverse:

SUCC = FAIL FAIL = SUCC a. T = a. T a. T = a. T T1 ∧ T2 = eT1 ∨ T2 T1 ∨e T2 = T1 ∧ T2 ∀T = ∃T ∃T = ∀T

We have:

1. ⊥ ∈ O(T,P ) iff ⊤ ∈ O(T,P ) 2. ⊤ ∈ O(T,P ) iff ⊥ ∈ O(T,P )

page 122 The equivalence induced by these tests:

def P ∼T Q = for all T , O(T,P )= O(T, Q).

Theorem 5 ∼=∼T

– The proof is along the lines of the proof of characterisation of bisimulation in terms of modal logics (Hennessy-Milner’s logics and theorem) – A similar theorem holds for weak bisimilarity (with internal actions, the definition of the tests may need to be refined)

page 123 Testing equivalence

– The previous testing scenario requires considerable control over the processes (eg: the ability to copy their state at any moment) One may argue that this is too strong – An alternative: the tester is a process of the same language as the tested process (in our case: an LTS) – Performing a test : the two processes attempt to communicate with each other. – Thus most of the constructs in the previous testing language are no longer appropriate (for instance, because they imply the ability of copying a process) – To signal success, the tester process uses a special action w 6∈ Act

page 124 Outcomes of running a test

Experiments: E ::= hT,P i | ⊤

A run for a pair hT,P i: a (finite or infinite) sequence of esperiments Ei such that

1. E0 = hT,P i a 2. a transition Ei −→ Ei+1 is defined by the following rules:

a a T −→ T ′ P −→ P ′ hT,P i −→hT ′,P ′i

w T −→ T ′ hT,P i −→⊤ ′ 3. the last element of the sequence, say Ek, is such that there is no E ′ such that Ek −→ E .

page 125 We now set:

⊤ ∈ O(T,P ) if hT,P i has a run in which ⊤ appears (ie, hT,P i =⇒⊤)

⊥ ∈ O(T,P ) if there is a run for hT,P i in which ⊤ never appears

Testing equivalence (≃): the equivalence on processes so obtained

Note: If processes could perform internal actions, then other rules would be needed:

τ T −→ T ′ hT,P i −→hT ′,P i

τ P −→ P ′ hT,P i −→hT,P ′i

page 126 O(T,P ) is a non-empty subset of the 2-point lattice ⊤

⊥ However, there are 3 ways of lifting such lattice to its non-empty subsets:

℘May ℘Must ℘Testing {⊤} = {⊤, ⊥} {⊤} {⊤}

{⊥} {⊥} = {⊤, ⊥} {⊤, ⊥}

{⊥}

℘May : the possibility of success is essential

℘Must : failure is disastrous

The resulting equivalences are ≃May (may testing) and ≃Must (must testing)

Note: ≃Testing is ≃ page 127 Theorem 6 1. ≃=(≃May ∩≃Must)

2. ≃May coincides with trace equivalence 3. ≃ coincides with failure equivalence

page 128 Example

• • • @ a ~~ @@ a ~~ @@ a a ~~ @@   ~ • • • • @ b ~~ @@ b ~~ @@ b ~~ @@ b b  ~   • • • • • @ c ~~ @@ d ~~ @@ ~~ @@ c c ~   d   d • • • • • •

P9 P6 P5

P9 ≃May P5 ≃May P6 P9 6≃Must P5 ≃Must P6 P9 6≃ P5 ≃ P6 P9 6∼ P5 6∼ P6

page 129 a a / / • j / • • / •

τ

Q1 Q2

ω In CCS: Q1 = τ | a, and Q2 = a. 0

Q1 and Q2 are weakly bisimilar, but not testing equivalent

Justification for testing: bisimulation is insensitive to divergence

Justification for bisimulation: testing is not “fair”

(notions of fair testing have been proposed, and then bisimulation is indeed strictly included in testing)

page 130 All equivalences discussed in these lectures reduce parallelism to interleaving, in that

a. 0 | b. 0 is the same as a. b. 0 + b. a. 0

Not discussed in these lectures: equivalences that refuse the above equality (called true-concurrency, or non-interleaving)

page 131